Tune Library Security & Risk Analysis

wordpress.org/plugins/tune-library

Import your iTunes music list into Wordpress and display your song collection on any page.

10 active installs v1.6.4 PHP + WP 2.7+ Updated Feb 1, 2026
collectionituneslistmusicxml
93
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 5, 2026
Safety Verdict

Is Tune Library Safe to Use in 2026?

Generally Safe

Score 93/100

Tune Library has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 5, 2026Updated 5mo ago
Risk Assessment

The "tune-library" v1.6.4 plugin exhibits a mixed security posture. While it demonstrates good practices such as 100% prepared statement usage for SQL queries and a moderate number of nonce and capability checks, significant concerns arise from its attack surface and taint analysis. The presence of two AJAX handlers without authentication checks represents a direct entry point for potential unauthenticated attacks. Furthermore, the taint analysis revealed one flow with unsanitized paths, classified as high severity, which could lead to various vulnerabilities if not properly handled. The plugin's vulnerability history, including a past critical CVE and a medium CVE, with the last one being in 2026, suggests a recurring tendency towards critical and injection-based vulnerabilities. This historical pattern, combined with the current high-severity taint flow and unprotected entry points, indicates a need for heightened vigilance and thorough review.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized taint flow
  • Past critical CVE
  • Past medium CVE
  • Insufficient output escaping
Vulnerabilities
2 published

Tune Library Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
1

2 total CVEs

CVE-2026-1401medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import

Feb 5, 2026 Patched in 1.6.4 (1d)
CVE-2015-3314critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Tune Library < 1.5.5 - SQL Injection

Apr 20, 2015 Patched in 1.5.5 (3200d)
Version History

Tune Library Release Timeline

v1.6.4Current
v1.6.31 CVE
Code Analysis
Analyzed Mar 17, 2026

Tune Library Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
35 prepared
Unescaped Output
10
22 escaped
Nonce Checks
3
Capability Checks
3
File Operations
2
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared35 total queries

Output Escaping

69% escaped32 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<tune-library> (tune-library.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Tune Library Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_tune_library_ajaxtune-library.php:1056
noprivwp_ajax_tune_library_ajaxtune-library.php:1057

Shortcodes 1

[tune-library] tune-library.php:1170
WordPress Hooks 10
actionadmin_menutune-library.php:135
actionadmin_inittune-library.php:136
filterplugin_action_linkstune-library.php:143
filterozh_adminmenu_icontune-library.php:144
actionadmin_post_tune_lib_admintune-library.php:170
actionwp_enqueue_scriptstune-library.php:1053
actionadmin_enqueue_scriptstune-library.php:1054
filterquery_varstune-library.php:1166
actionwp_headtune-library.php:1168
actioninittune-library.php:1172
Maintenance & Trust

Tune Library Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 1, 2026
PHP min version
Downloads12K

Community Trust

Rating80/100
Number of ratings1
Active installs10
Developer Profile

Tune Library Developer Profile

Yannick Lefebvre

8 plugins · 11K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
498 days
View full developer profile
Detection Fingerprints

How We Detect Tune Library

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tune-library/chart_curve.png

HTML / DOM Fingerprints

HTML Comments
Copyright 2020 Yannick Lefebvre (email : ylefebvre@gmail.com) Part of XML Loading Code based on Musiker (http://code.google.com/p/musiker/) by Jarvis Badgley, re-used with permission Thanks to Gary Traffanstedt for his help on testing, his great suggestions and with AJAX This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA<!-- IMPORTANT: If you are an author of this plugin, you must change the default plugin settings below. -->
Data Attributes
name="tune-library-options"method="post"enctype="multipart/form-data"id="tunelibrarypp-config"name="tunelibrarypp-config"
FAQ

Frequently Asked Questions about Tune Library